File Systems

Question 1

FAT

Answer 1

• File Allocation Table
• Used for MS-DOS
• Simple index table to track files on disks
• Still the default file system for USB thumb drives and memory cards used with cameras
• used on the EFI booting partitions

Question 2

What are the different types of FAT

Answer 2

• FAT12
• FAT16
• FAT32
• Extended File Allocation Table (exFAT)

Question 3

What does the number in FAT stand for?

Answer 3

• refers to the number of bits used for clusters addressing

- 12 bit FAT can have a cluster size of 2^12

Question 4

Cluster

Answer 4

• smallest logical unit a file system can allocate to a file
• defined when you format the partition
• starts at 512 bytes, up to the limit of the file system
• clusters are logical

Question 5

What are the two types of formating?

Answer 5

• High Level (logical) -> initializing the disk
• Low Level -> usually done at the manufacturer
• • “formatting” in this course is High Level

Question 6

What are the 3 “areas” of a FAT file system Structure?

Answer 6

• Reserved Area
• FAT Area
• Data Area

Question 7

How many Reserved Sectors are there for each type of FAT in the Reserved Area?

Answer 7

• FAT12 = 1 Reserved Sector
• FAT16 = 1 Reserved Sector
• FAT32 = 32 Reserved Sectors

Question 8

What is in the Reserved Area of both FAT12 and FAT16?

Answer 8

• the entire singe Sector is the Boot Sector

Question 9

What is in the Reserved Area of FAT32?

Answer 9

• Boot Sector
• FSINFO
• Boot Strap
• Reserved Sectors
• • remember, 32 total sectors in the Reserved Area

Question 10

How do you find FAT#1?

Answer 10

1. Go to the boot sector
2. Check the value in the “Reserved No. of Sectors” section
3. Go to that sector value found in (2) leads to FAT#1

Question 11

How do you find FAT#2?

Answer 11

1. Go to the boot sector
2. Check the value in the “Reserved No. of Sectors” section
3. Check the value in the “Sectors per FAT” section
4. Adding value found in (2) with the value found in (3), leads to the location of FAT#2

Question 12

Where is the Root Directory located?

Answer 12

• the Root Directory of the file system is located in Cluster #2

Question 13

What happens when a file is deleted?

Answer 13

1. the system changes the first character in the file name to 0xE5
2. the cluster entries for the file in FAT are all zeroed out
3. the starting cluster in the directory entry is left as it is
4. the contents of the file ( in clusters ) still exist on the disk (until their clusters are used again).

Question 14

What is Journaling in NTFS

Answer 14

• the file system uses a log file ($LogFile) to store all metadata changes
• helps with recovery

Question 15

What is a key difference with NTFS vs. FAT

Answer 15

• based on files and not on dividing the volume into separate spaces

Question 16

File carving

Answer 16

• forensic technique that recovers files based merely on file structure and content from raw data
• EX: recover deleted file from unallocated disk space

Question 17

TSK

Answer 17

• The SleuthKit

- collection of CLI tools to help analyze disk images and recover files